Port Scanning
Port scanning is a reconnaissance technique used to determine which network ports are open on a system and which services are running on them. It is the first step in penetration testing and attacker reconnaissance—and at the same time an important tool for system administrators to take inventory.
Port scanning is the process of identifying open ports on a network: Each port represents a potential service, and each open port is a potential vulnerability. Nmap is the most widely used tool—by penetration testers, system administrators, and, unfortunately, attackers as well. The difference lies in the context and authorization.
Nmap - The Standard Tool
# Simplest scan (TCP SYN on common ports):
nmap 192.168.1.1
# Single host, all ports:
nmap -p- 192.168.1.1
# Scan a network:
nmap 192.168.1.0/24
# Service and version detection:
nmap -sV 192.168.1.1
# OS detection (requires root):
nmap -O 192.168.1.1
# Aggressive scan (sV + OS + Scripts + Traceroute):
nmap -A 192.168.1.1
# Commonly used combination for penetration testing:
# -sC: Default NSE scripts
# -sV: Service version detection
# -oA: Output in all formats (nmap, gnmap, xml)
nmap -sC -sV -oA scan_results 192.168.1.1Scan Techniques in Detail
TCP Scan Types
SYN Scan (-sS, Stealth Scan):
- Half-open connection (SYN → SYN-ACK → RST)
- No full TCP connection → less activity in logs
- Standard for root users
- Requires root privileges (raw sockets)
Connect Scan (-sT):
- Full TCP connection
- Possible without root
- More logging on the target side
UDP Scan (-sU):
- Important! UDP services are often overlooked
- DNS (53), SNMP (161), TFTP (69), NTP (123)
- Slower than TCP scans
nmap -sU -p 53,161,500 192.168.1.1Null Scan (-sN), FIN Scan (-sF), Xmas Scan (-sX):
- Bypass simple packet filters (IDS Evasion)
- Do not send standard flags → Firewalls react differently
- Reliable only on Unix systems
SCTP Scans:
- For telecommunications networks (SS7, Diameter)
nmap -sY 192.168.1.1 # SCTP INIT scanScan speed (-T)
| Level | Name | Description |
|---|---|---|
| T0 | Paranoid | Very slow, IDS evasion |
| T1 | Sneaky | Slow, IDS evasion |
| T2 | Polite | Reduced bandwidth |
| T3 | Normal | Standard |
| T4 | Aggressive | Fast, for well-connected networks |
| T5 | Insane | Maximum speed, may miss hosts |
> For penetration tests: T4 is common (fast, reliable). For production scans: T2-T3 (no service disruption).
Nmap Scripting Engine (NSE)
NSE extends Nmap with Lua scripts. Predefined script categories:
| Category | Description |
|---|---|
auth | Authentication checks |
broadcast | Network discovery via broadcast |
brute | Brute-force attacks (CAUTION!) |
default | Standard scripts (-sC) |
discovery | Service enumeration |
dos | Denial of Service Tests (CAUTION!) |
exploit | Exploit Attempts (only with authorization!) |
fuzzer | Protocol Fuzzing |
intrusive | Intrusive Tests |
malware | Backdoor Detection |
safe | Safe Information Gathering |
version | Service version detection |
vuln | Vulnerability scanning |
# Check for SMB vulnerabilities (EternalBlue/MS17-010):
nmap --script smb-vuln-ms17-010 -p 445 192.168.1.0/24
# HTTP server information:
nmap --script http-headers,http-title -p 80,443 192.168.1.1
# Check SSH algorithms:
nmap --script ssh2-enum-algos -p 22 192.168.1.1
# FTP anonymous login:
nmap --script ftp-anon -p 21 192.168.1.0/24
# MySQL without password:
nmap --script mysql-empty-password -p 3306 192.168.1.0/24
# SNMP Community Strings:
nmap --script snmp-brute -p 161/udp 192.168.1.0/24
# Full Vulnerability Scan:
nmap --script vuln -sV 192.168.1.1Port Scanning in the Penetration Test Report
Typical Findings from Port Scans
Critical:
- RDP (3389) directly accessible from the Internet → Brute-force, BlueKeep (CVE-2019-0708)!
- SMB (445) accessible from the Internet → EternalBlue, WannaCry attack vector!
- Telnet (23) open → Plaintext communication
- FTP (21) with anonymous login
High:
- SSH (22) with password authentication (instead of key-based authentication)
- RDP without Network Level Authentication (NLA)
- Outdated SSL/TLS versions (SSLv3, TLS 1.0)
- SNMP v1/v2 with default community string "public"
Medium:
- Unnecessary services open (HTTP server without function)
- ICMP allowed (information leakage)
- Undocumented open ports
Protective measures against port scanning
- Firewall: Open only explicitly required ports
- Default Deny: Block everything that is not needed
- Port Knocking: Port opens only after a secret sequence
- IPS: Detect and block Nmap scans (Snort rules)
- Honeypot Ports: Alert upon access to non-existent services
- VPN-First: No direct internet access to internal systems
Legal Information
> Port scanning without authorization is a criminal offense in Germany! §202a StGB: Data espionage. Always obtain written authorization before every scan! Scope definition: Which IPs/ranges may be scanned?
